(Ed: This is a letter Tatu YlÃ¶nen, chairman and CTO of SSH Communications Security Corp., sent to NewsForge and a couple of ssh-related lists early Friday morning.)
Update: Theo de Raadt of OpenSSH had no immediate comment on YlÃ¶nen's letter, except to emphasize that SSH Communications Security has a trademark on a "picture of three lowercase ssh letters in a special
Subject: ssh(R) trademark issues: comments and proposal
I'd like to address several issues raised by people in relation to my
notice of the ssh(R) trademark to the OpenSSH group. Also, I would
like to make a proposal to the community for resolving this issue
(included at the end).
First, I'll answer a number of questions and arguments presented in
> "the SSH Corp trademark registration in the US is for a logo only"
It is for the lowercase word "ssh" (I was mistaken earlier in saying
that it was for the uppercase word "SSH"). As many people obviously
know, trademark registrations in the USA are a matter of public record
and it is open to anyone to review the details of SSH Corp's trademark
Under US law, a trademark registration entitles the owner to exclusive
use of the trademark as it is registered, in relation to the goods
and/or services for which it is registered. Trademark infringement
occurs when another person uses the same, or a substantially identical
mark, for the same or related goods or services, in a manner which is
likely to cause consumer confusion. Consequently, use of the
uppercase word "SSH" or a name containing the "ssh" or "SSH" mark will
likely amount to trademark infringement under US law, if it is in
relation to goods or services within the same field of use covered by
our ssh(R) trademark. Of course, there are many possible
non-infringing uses of "SSH", for example, anyone might have a brand
of chocolade called "SSH".
> "A license was granted in 1995 that allows free use of the
This is not accurate, but refers to the following language in
ssh-1.2.12 COPYING file:
As far as I am concerned, the code I have written for this software
can be used freely for any purpose. Any derived versions of this
software must be clearly marked as such, and if the derived work is
incompatible with the protocol description in the RFC file, it must
called by a name other than "ssh" or "Secure Shell".
First, this is a copyright license ("the CODE can be used..."), with an
additional restriction on naming. It is not a trademark license.
Also, this text is from the COPYING file from ssh-1.2.12, dated Nov
17, 1995. The trademark claims were made in 1996 (ssh-1.2.13 was the
first release claiming them, released on Feb 11, 1996), and this
license provision would not have covered them anyway. Ever since, our
policy has been not to allow unauthorized use of the trademarks. The
trademark claims have been made consistently in every release ever
> "no-one has ever been notified of infringement"
For example, I notified Van Dyke of the trademark a few years ago when
they used the SSH mark on their web site inappropriately. We
discussed it, they were very co-operative, and immediately added
trademark markings and acknowledgement on their website. Issue
solved. (They were not using it in a product name.)
Basically, anyone we have ever really encountered in the marketplace
has either been notified or is a licensee of ours.
> "F-Secure SSH has been using the name for years"
F-Secure (formerly Data Fellows) is our distributor/VAR, and they are
using the SSH trademark in their product name under a separate written
trademark license agreement. All of the F-Secure SSH products are SSH
Communication Security Corp's products, some verbatim and some with
modifications by F-Secure.
> (reference to FiSSH, TTSSH, Top Gun ssh, etc.)
These are all non-commercial academic projects made at universities.
We have never really encountered any one of these in the marketplace.
We have tried to notify commercial people who have been using the
trademark inappropriately. OpenSSH was the first non-commercial
implementation to raise to the radar screen.
> "why did you notify OpenSSH now"
The reason OpenSSH was contacted now was that they have only become
more visible during the last months, and I have recently seen a
significant increase in e-mails confusing the meaning of the SSH
trademarks and using them inappropriately. I have also recently
received quite a few e-mails confusing OpenSSH as my product.
> "how about the 'ssh' command name under Unix/Linux?"
This relates to the proposal I want to make.
Basically, I am willing to work out a way that will allow anyone to use
the "ssh" command name on Unix/Linux. It appears that there are
ways to do it without exposing our trademarks to unnecessary risk.
The arrangement I am proposing would be as follows.
- We (SSH Corp) would allow the use of "ssh" (and sshd, etc) as a
command name on Unix/Linux under the following restrictions:
- Any product where the command name "ssh" is used must only be
licensed under a valid license (i.e., must not be in the
public domain). E.g. BSD license, GPL, and normal commercial
licenses would all be ok.
An acknowledgement of our ownership of the ssh(R) and Secure
Shell(TM) trademarks must be included in the software (help
text, documentation, license). It would not need to be
printed out every time the program is normally run, but would
need to be included in e.g. in an appropriate place on man
pages and in help texts.
The SSH Corp trademarks cannot be used in product names
without a separate trademark license from us (which we would
not normally grant, unless we see a valid business case for
it, and then only for products using a compatible protocol).
A new unencumbered name is created for the protocol, which can be
used by any vendor without creating confusion. The IETF standard
would be renamed to use the new protocol name, and the community
would work to cease using "SSH" as a protocol name and would
instead start using the new name. The new name would need to be
unencumbered, and the xx.com, xx.net, and xx.org domain names
would be made to permanently point to e.g. the IETF main page. My
own proposal would be to change the name to SECSH, provided that
Van Dyke is willing to contribute their currently unused secsh.com
domain name for this purpose. We would be willing to contribute
our secsh.org and secsh.net domains on the same basis.
We would submit an official statement to the IETF that we will make
trademark claims about the "bits on the wire" in the protocol
the protocol version strings or the various names used in the
- We would need to reach agreement with the OpenSSH group to change
their product name and to otherwise cease using the SSH
trademarks inappropriately. We appreciate that some people have
brought the non-commercial university group use to our attention.
We are carefully reviewing this situation.
Let's discuss the exact terms if I get a preliminary "ok, looks fine,
let's try to get this resolved along those lines" from the community
and the relevant parties.
Please let us know what you think.
Chairman and CTO, SSH Communications Security Corp
PS. For reference, if someone hasn't seen it yet, I'll include my
original e-mail to the OpenSSH mailing list. (Ed: The original letter was posted at Slashdot.)